Banwarum.A

Summary

The first Banwarum worm variant was found at the end of May 2006. Shortly after, there appeared two slightly different variants. Banwarum worm spreads in e-mail messages with different German subjects and body texts. Some of the worm's messages are similar to those sent by the Sober worm. The worm has backdoor functionality.

Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Installation to System

The worm's file is a PE executable. When run, it drops the main worm's component to Windows System directory as the file mszsrn32.dll. This file is then injected into the winlogon.exe process. When the DLL file is activated, it creates a startup key for itself in Windows Registry: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] The registered module name is 'mszsrn32'. As a result the worm's DLL will get control before a user logs onto Windows.

Spreading in E-mails

Before spreading the worm scans for e-mail addresses. It scans all drives from C: to Z: except CD-ROMs for files with the following extensions:

adb

asa

asc

asm

asp

cgi

con

csp

csv

dbx

dlt

doc

dwt

edm

hta

htc

htm

html

inc

jsp

jst

lbi

php

rdf

rss

sht

ssi

stm

tbb

tbi

txt

vbp

vbs

wab

wml

xht

xls

xml

xml

xsd

xst

The worm ignores e-mail addresses if they contain any of the following substrings:

.arpa

.gov

.mil

abuse

admin

avp.

berkeley

borland.com

bsd.it

bugs

cisco

contact

debian

drweb.

fido

gnu.org

google

help

iana.

ibm.com

info

kaspersky

linux

microsoft.com

php.net

postmaster

privacy

rating

register

ripe.

root

secure

service

site

soft

sophos

sun.com

support

virus

web

webmaster

The worm composes different e-mail messages. All of the messages that the worm sends out are in German. The subjects of these e-mails can be any of the following:

The attachment can be an executable with a double extension or an archive created by either 7-zip, WinAce, or WinRar archivers.

Payload

The worm has backdoor capabilities. It connects to one of these sites:

5dime.net

7stick.biz

7stick.info

brancholania.biz

brancholania.net

frachetto.com

frachetto.info

monti2.com

olania.com

olania.net

The backdoor reports to the site: its ID, uptime, version, operating system type, and some other info. Also, the backdoor part can receive commands from a hacker and do any of the following:

Download and run files

Perform DoS (Denial of Service) attack

Start mass-mailing

Start vulnerability scanner

Update itself from Internet

Origin

The worm was named by its author as 'Win32.Zasrancheg'. It should be noted that the word 'zasrancheg' is in Russian, but is modified according to more recent slang. So it's almost certain that the creator of the worm is of Russian origin.

Detection

Detection Type: PC

Database: 2006-05-24_02

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis